WannaCry ransomware used in widespread attacks all over the world

Earlier today, our products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames.

Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.

Source: https://support.kaspersky.com/shadowbrokers

A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.

The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions. We have confirmed additional infections in several additional countries, including Russia, Ukraine, and India.

It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.

CCN-CERT alert (in Spanish)

Analysis of the attack

Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia. It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.

Geographical target distribution according to our telemetry for the first few hours of the attack

The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.

The tool was designed to address users of multiple countries, with translated messages in different languages.

Language list that the malware supports

Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.

To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryptor tool dropped by the malware.

An image used to replace user’s wallpaper

Malware samples contain no reference to any specific culture or codepage other than universal English and Latin codepage CP1252. The files contain version info stolen from random Microsoft Windows 7 system tools:

Properties of malware files used by WannaCry

For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not provide any additional info:

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

Contact
If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!

It also drops batch and VBS script files, and a “readme” (contents are provided in the appendix).

Just in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a text file to disk with further instruction. An example of their “readme” dropped to disk as “@Please_Read_Me@.txt” to many directories on the victim host. Note that the English written here is done well, with the exception of “How can I trust?”. To date, only two transactions appear to have been made with this 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:

Q: What's wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!

Q: What do I do?

A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)

Q: How can I trust?

A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.

* If you need our assistance, send a message by clicking on the decryptor window.

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:

gx7ekbenv2riucmf.onion

57g7spgrzlojinas.onion

Xxlvbrloxvriy2c5.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion

sqjolphimrr7jqw6.onion

Mitigation and detection information

Quite essential in stopping these attacks is the Kaspersky System Watcher component. The System Watcher component has the ability to rollback the changes done by ransomware in the event that a malicious sample managed to bypass other defenses. This is extremely useful in case a ransomware sample slips past defenses and attempts to encrypt the data on the disk.

System Watcher blocking the WannaCry attacks

Mitigation recommendations:

Make sure that all hosts are running and have enabled endpoint security solutions.

Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.

Ensure that Kaspersky Lab products have the System Watcher component enabled.

Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.

Most infected computers are in Russia and it’s a sign that WannaCry is a planned cyber-attack against Russian organizations and institutions, including Ministry of Internal Affairs of Russia and Investigative Committee of Russia as it’s sai there https://malwareless.com/wannacry-ransomware-massively-attacks-computer-systems-world/ . Russian hackers never attacked computers inside their country with ransomware in order to avoid further problems with police and FSB

KSWS (Kaspersky Security for Windows Servers) will monitor file shares on the server it is installed on using the Anti-Cryptor component if it is enabled. Should it detect an encryption algorithm being performed on contents of a file share by another endpoint, it will sever the network connection to that endpoint for an hour.

Hi,
Is it correct attack over SMBv2? The MS17-010 official description talks about SMBv1
”
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
“

You’ll need to provide a bit more validation than an anonymous assertion! Given that no other source in the world (other than people quoting this page) are identifying an SMB v2 flaw this has to be considered a typo someone doesn’t want to back down from.

“The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection; however, while disabling SMBv1 (an old protocol) has no significant impact on modern systems, disabling SMBv2 can cause problems. This is why it is highly recommended to disable SMBv1 for the current attack and for the future.”https://securelist.com/blog/research/78411/wannacry-faq-what-you-need-to-know-today/

Windows XP does not support SMBv2: it supports only SMBv1. So, if Windows XP machines were infected by EternalBlue (which appears to be the case) there must be an infection route that employs SMBv1 alone, without the help of SMBv2.

Surely the people at fault here are those that did not install the March Windows update?
We are now nearly halfway through May.
I can’t think of any excuse not to keep updated with security vulnerability patches!
Keep up the good work, guys!

To decrypt files changed by ransomware is not an easy task. It usually requires access to the encryption key. Whether someones shares this key, they find it during analysis, or just due to sloppy programming from the ransomwares author.
Either way, if a key is found, Kaspersky Lab makes decryption tools and they are all free. You can find existing ones on the website nomoreransom.org

Regarding protection from this malware using Kaspersky Lab solutions. Yes, you are protected. On top of this, this malware normally gains access to a computer via the user opening an attachment in a spam email. If you don’t know the sender, don’t open the attachment. Even if you know the sender, if you aren’t expecting a file, don’t open it.
The other way it can infect your machine is if you are unpatched and someone else using the same network opens the email. Say a family member for example.
Keep persisting with Windows Updates, they can take a while, but should work eventually.
If your windows updates were applied and you had up to date Kaspersky Lab software, you had nothing at all to worry about.

The Microsoft Support Lifecycle http://go.microsoft.com/fwlink/?LinkId=21742 when searched for my OS (Win XP SP3), shows the “Extended Support End Date” was 4/8/2014 — more than 3 years ago. Can you clarify your post, Xx?

There is no single solution-but heaps of options like I stated in the start, there’s no hard and fast manual that claims to the purpose solutions to all your problems. Today in the event that you pose a particular problem to some panel of experts, you’re certain to find many distinct opinions and options in return. This will prove to be confusing.

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.